How Trustwave MailMarshal Works

MailMarshal is a server-based Simple Mail Transfer Protocol (SMTP) email content scanning product that is easy to install in new or existing networks with other gateway applications. It complements and is compatible with traditional Internet firewalls, SMTP mail servers, antivirus scanners, and other security applications.

MailMarshal includes several components including the Array Manager, one or more email processing servers, a Microsoft SQL Server database, and optional management websites. Small organizations can install the components on a single computer, that can also act as the local SMTP/POP3 email server. Large organizations can install the components across several computers. Enterprises can manage a distributed array of email processing servers with a single Array Manager computer.

MailMarshal provides one main user interface (the Management Console), as well as an optional end-user Spam Quarantine Management site.

The MailMarshal installation functions as the email gateway of an organization. All inbound and outbound email passes through the MailMarshal Server. You can use multiple MailMarshal Servers to provide multiple gateways or to add bandwidth and redundancy to a single gateway.

Each MailMarshal Server runs several component services, including the Receiver, Engine, and Sender services.

Table 1: MailMarshal component functions
Receiver Functions	Engine Functions	Sender Functions
•Inbound TLS •SMTP Authentication •Blocked Hosts •Relaying Tables •DoS Protection •DHA Protection •Reputation Services (DNS Blocklists) •Global Header Rewriting •Connection Policy (Receiver Rules) •DKIM, SPF, and DMARC Evaluation •SpamProfiler rejection	•Content Analysis Policy (Standard Rules) •Malware Scanning •SpamBotCensor •SpamProfiler and SpamCensor quarantining •SpamCensor advanced usage (spam types) •NDRCensor •Suspect URL Check •Blended Threats URL Rewriting •Message Archiving •Route Message To Host •Message Parking •DKIM Signing •Azure Information Protection RMS decryption	•Domain Routing Tables •Outbound TLS •DANE validation •SMTP Authentication

All inbound and outbound email enters the MailMarshal Server at the Receiver. At this stage, MailMarshal can apply SpamProfiler checks and Connection Policy rules to messages. Receiver blocking options offer powerful protection because they allow you to refuse incoming email based on criteria such as email not addressed to a recipient in your organization. Connection Policy rules that block email this way conserve resources for other legitimate email.

Next, the MailMarshal Engine unpacks each email, expanding any attached archive or compressed files. The Engine then checks each component against Content Analysis Policy Rules you have enabled, including SpamCensor scripts, URLCensor, TextCensor scripts, and any other rules you have enabled. You can alter the effects of MailMarshal rules by changing the rule order and by changing specific characteristics of the rule.

MailMarshal also scans email for viruses using antivirus scanning software. MailMarshal supports several integrated scanners with high-throughput interfaces. The product can also use many other antivirus scanners that return results in the required format. However, non-integrated scanners deliver much lower throughput.

After the MailMarshal Engine evaluates each email component against the rules, it determines whether to accept, modify, or quarantine the email.

•Accepted email is passed to the MailMarshal Sender for delivery to the appropriate recipients. The sender can enforce use of TLS and DANE validation.

MailMarshal can also notify administrators of specific actions or notify end-users of quarantined email. You can associate the appropriate rule action when you create or modify rules.

You configure MailMarshal rules and settings using the Management Console web interface. Changes made and committed in the Management Console are applied through the MailMarshal Array Manager. The Array Manager coordinates the activity of all other MailMarshal Servers in the array and connects with the user interfaces, optional end user quarantine management server, and the database.

The initial configuration settings allow MailMarshal to act as the email gateway of an organization. You can enforce a wide variety of Acceptable Usage Policies by customizing the way MailMarshal processes email connections, content, and attachments.

The Management Console features the Dashboard to summarize MailMarshal activity and server health at a glance. Using the Console, email administrators can review email processing history for a message and view and release any quarantined message.

The administrator can grant other users access to specific Console functions. Using this feature, the administrator can delegate basic tasks to help desk or departmental personnel. The Management Console is web-based to allow remote access.

Email users can review and manage suspected spam and other quarantined email using daily email digests and the Spam Quarantine Management Web-based console. This console is a Web application you can easily deploy on your intranet Web server running Microsoft Internet Information Services (IIS).

Administrators and managers can generate reports on MailMarshal activity using Marshal Reporting Console. Marshal Reporting Console uses SQL Server Reporting Services to produce reports. This is a server application with a website interface. Marshal Reporting Console can deliver reports by web view, email, FTP, or local network files, and can schedule automatic delivery of reports.

Marshal Reporting Console is provided as a separate package from Trustwave. This application is available to all MailMarshal customers.

Trustwave MailMarshal is a gateway solution that applies email content security for email inbound from or outbound to the Internet. MailMarshal Cloud is a cloud based solution that applies the power of MailMarshal in a managed cloud solution compatible with cloud based mail providers or premise solutions.

For more information about MailMarshal Cloud, see the documentation available on the Trustwave website.